diff --git a/pam-1.5.2-pwhistory-config.patch b/pam-1.5.2-pwhistory-config.patch
new file mode 100644
index 0000000..c943450
--- /dev/null
+++ b/pam-1.5.2-pwhistory-config.patch
@@ -0,0 +1,489 @@
+diff -up Linux-PAM-1.5.2/modules/pam_pwhistory/Makefile.am.pwhistory-config Linux-PAM-1.5.2/modules/pam_pwhistory/Makefile.am
+--- Linux-PAM-1.5.2/modules/pam_pwhistory/Makefile.am.pwhistory-config 2021-09-03 13:59:07.000000000 +0200
++++ Linux-PAM-1.5.2/modules/pam_pwhistory/Makefile.am 2022-07-18 11:31:50.774295494 +0200
+@@ -9,9 +9,10 @@ MAINTAINERCLEANFILES = $(MANS) README
+ EXTRA_DIST = $(XMLS)
+
+ if HAVE_DOC
+-dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8
++dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 pwhistory.conf.5
+ endif
+-XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml
++XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml \
++ pwhistory.conf.5.xml
+ dist_check_SCRIPTS = tst-pam_pwhistory
+ TESTS = $(dist_check_SCRIPTS)
+
+@@ -26,12 +27,14 @@ if HAVE_VERSIONING
+ pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+ endif
+
+-noinst_HEADERS = opasswd.h
++noinst_HEADERS = opasswd.h pwhistory_config.h
++
++dist_secureconf_DATA = pwhistory.conf
+
+ securelib_LTLIBRARIES = pam_pwhistory.la
+ pam_pwhistory_la_CFLAGS = $(AM_CFLAGS)
+ pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@
+-pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c
++pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c pwhistory_config.c
+
+ sbin_PROGRAMS = pwhistory_helper
+ pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @EXE_CFLAGS@
+diff -up Linux-PAM-1.5.2/modules/pam_pwhistory/pam_pwhistory.8.xml.pwhistory-config Linux-PAM-1.5.2/modules/pam_pwhistory/pam_pwhistory.8.xml
+--- Linux-PAM-1.5.2/modules/pam_pwhistory/pam_pwhistory.8.xml.pwhistory-config 2021-09-03 13:59:07.000000000 +0200
++++ Linux-PAM-1.5.2/modules/pam_pwhistory/pam_pwhistory.8.xml 2022-07-18 11:35:24.912807324 +0200
+@@ -36,6 +36,9 @@
+
+ authtok_type=STRING
+
++
++ conf=/path/to/config-file
++
+
+
+
+@@ -104,7 +107,7 @@
+
+
+ The last N passwords for each
+- user are saved in /etc/security/opasswd.
++ user are saved.
+ The default is 10. Value of
+ 0 makes the module to keep the existing
+ contents of the opasswd file unchanged.
+@@ -137,7 +140,26 @@
+
+
+
++
++
++
++
++
++
++ Use another configuration file instead of the default
++ /etc/security/pwhistory.conf.
++
++
++
++
+
++
++ The options for configuring the module behavior are described in the
++ pwhistory.conf
++ 5 manual page. The options
++ specified on the module command line override the values from the
++ configuration file.
++
+
+
+
+@@ -223,6 +245,9 @@ password required pam_unix.so
+ SEE ALSO
+
+
++ pwhistory.conf5
++ ,
++
+ pam.conf5
+ ,
+
+diff -up Linux-PAM-1.5.2/modules/pam_pwhistory/pam_pwhistory.c.pwhistory-config Linux-PAM-1.5.2/modules/pam_pwhistory/pam_pwhistory.c
+--- Linux-PAM-1.5.2/modules/pam_pwhistory/pam_pwhistory.c.pwhistory-config 2021-09-03 13:59:07.000000000 +0200
++++ Linux-PAM-1.5.2/modules/pam_pwhistory/pam_pwhistory.c 2022-07-18 11:34:34.465451167 +0200
+@@ -63,14 +63,8 @@
+
+ #include "opasswd.h"
+ #include "pam_inline.h"
++#include "pwhistory_config.h"
+
+-struct options_t {
+- int debug;
+- int enforce_for_root;
+- int remember;
+- int tries;
+-};
+-typedef struct options_t options_t;
+
+
+ static void
+@@ -299,6 +293,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
+ options.remember = 10;
+ options.tries = 1;
+
++ parse_config_file(pamh, argc, argv, &options);
++
+ /* Parse parameters for module */
+ for ( ; argc-- > 0; argv++)
+ parse_option (pamh, *argv, &options);
+@@ -306,7 +302,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
+ if (options.debug)
+ pam_syslog (pamh, LOG_DEBUG, "pam_sm_chauthtok entered");
+
+-
+ if (options.remember == 0)
+ return PAM_IGNORE;
+
+diff -up Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory.conf.5.xml.pwhistory-config Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory.conf.5.xml
+--- Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory.conf.5.xml.pwhistory-config 2022-07-18 11:31:50.774295494 +0200
++++ Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory.conf.5.xml 2022-07-18 11:31:50.774295494 +0200
+@@ -0,0 +1,155 @@
++
++
++
++
++
++
++ pwhistory.conf
++ 5
++ Linux-PAM Manual
++
++
++
++ pwhistory.conf
++ pam_pwhistory configuration file
++
++
++
++
++ DESCRIPTION
++
++ pwhistory.conf provides a way to configure the
++ default settings for saving the last passwords for each user.
++ This file is read by the pam_pwhistory module and is the
++ preferred method over configuring pam_pwhistory directly.
++
++
++ The file has a very simple name = value format with possible comments
++ starting with # character. The whitespace at the beginning of line, end
++ of line, and around the = sign is ignored.
++
++
++
++
++
++ OPTIONS
++
++
++
++
++
++
++
++ Turns on debugging via
++
++ syslog3
++ .
++
++
++
++
++
++
++
++
++
++ If this option is set, the check is enforced for root, too.
++
++
++
++
++
++
++
++
++
++ The last N passwords for each
++ user are saved.
++ The default is 10. Value of
++ 0 makes the module to keep the existing
++ contents of the opasswd file unchanged.
++
++
++
++
++
++
++
++
++
++ Prompt user at most N times
++ before returning with error. The default is 1.
++
++
++
++
++
++
++
++
++
++ Store password history in file
++ /path/filename rather than the default
++ location. The default location is
++ /etc/security/opasswd.
++
++
++
++
++
++
++
++ EXAMPLES
++
++ /etc/security/pwhistory.conf file example:
++
++
++debug
++remember=5
++file=/tmp/opasswd
++
++
++
++
++ FILES
++
++
++ /etc/security/pwhistory.conf
++
++ the config file for custom options
++
++
++
++
++
++
++ SEE ALSO
++
++
++ pwhistory8
++ ,
++
++ pam_pwhistory8
++ ,
++
++ pam.conf5
++ ,
++
++ pam.d5
++ ,
++
++ pam8
++
++
++
++
++
++ AUTHOR
++
++ pam_pwhistory was written by Thorsten Kukuk. The support for
++ pwhistory.conf was written by Iker Pedrosa.
++
++
++
++
+diff -up Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory_config.c.pwhistory-config Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory_config.c
+--- Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory_config.c.pwhistory-config 2022-07-18 11:31:50.774295494 +0200
++++ Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory_config.c 2022-07-18 11:31:50.774295494 +0200
+@@ -0,0 +1,115 @@
++/*
++ * Copyright (c) 2022 Iker Pedrosa
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, and the entire permission notice in its entirety,
++ * including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ * products derived from this software without specific prior
++ * written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions. (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "config.h"
++
++#include
++#include
++#include
++#include
++
++#include
++
++#include "pam_inline.h"
++#include "pwhistory_config.h"
++
++#define PWHISTORY_DEFAULT_CONF "/etc/security/pwhistory.conf"
++
++void
++parse_config_file(pam_handle_t *pamh, int argc, const char **argv,
++ struct options_t *options)
++{
++ const char *fname = NULL;
++ int i;
++ char *val;
++
++ for (i = 0; i < argc; ++i) {
++ const char *str = pam_str_skip_prefix(argv[i], "conf=");
++
++ if (str != NULL) {
++ fname = str;
++ }
++ }
++
++ if (fname == NULL) {
++ fname = PWHISTORY_DEFAULT_CONF;
++ }
++
++ val = pam_modutil_search_key (pamh, fname, "debug");
++ if (val != NULL) {
++ options->debug = 1;
++ free(val);
++ }
++
++ val = pam_modutil_search_key (pamh, fname, "enforce_for_root");
++ if (val != NULL) {
++ options->enforce_for_root = 1;
++ free(val);
++ }
++
++ val = pam_modutil_search_key (pamh, fname, "remember");
++ if (val != NULL) {
++ unsigned int temp;
++ if (sscanf(val, "%u", &temp) != 1) {
++ pam_syslog(pamh, LOG_ERR,
++ "Bad number supplied for remember argument");
++ } else {
++ options->remember = temp;
++ }
++ free(val);
++ }
++
++ val = pam_modutil_search_key (pamh, fname, "retry");
++ if (val != NULL) {
++ unsigned int temp;
++ if (sscanf(val, "%u", &temp) != 1) {
++ pam_syslog(pamh, LOG_ERR,
++ "Bad number supplied for retry argument");
++ } else {
++ options->tries = temp;
++ }
++ free(val);
++ }
++
++ val = pam_modutil_search_key (pamh, fname, "file");
++ if (val != NULL) {
++ if (*val != '/') {
++ pam_syslog (pamh, LOG_ERR,
++ "File path should be absolute: %s", val);
++ } else {
++ options->filename = val;
++ }
++ }
++}
+diff -up Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory_config.h.pwhistory-config Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory_config.h
+--- Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory_config.h.pwhistory-config 2022-07-18 11:31:50.774295494 +0200
++++ Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory_config.h 2022-07-18 11:31:50.774295494 +0200
+@@ -0,0 +1,54 @@
++/*
++ * Copyright (c) 2022 Iker Pedrosa
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, and the entire permission notice in its entirety,
++ * including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ * products derived from this software without specific prior
++ * written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions. (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#ifndef _PWHISTORY_CONFIG_H
++#define _PWHISTORY_CONFIG_H
++
++#include
++
++struct options_t {
++ int debug;
++ int enforce_for_root;
++ int remember;
++ int tries;
++ const char *filename;
++};
++typedef struct options_t options_t;
++
++void
++parse_config_file(pam_handle_t *pamh, int argc, const char **argv,
++ struct options_t *options);
++
++#endif /* _PWHISTORY_CONFIG_H */
+diff -up Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory.conf.pwhistory-config Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory.conf
+--- Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory.conf.pwhistory-config 2022-07-18 11:31:50.774295494 +0200
++++ Linux-PAM-1.5.2/modules/pam_pwhistory/pwhistory.conf 2022-07-18 11:31:50.774295494 +0200
+@@ -0,0 +1,21 @@
++# Configuration for remembering the last passwords used by a user.
++#
++# Enable the debugging logs.
++# Enabled if option is present.
++# debug
++#
++# root account's passwords are also remembered.
++# Enabled if option is present.
++# enforce_for_root
++#
++# Number of passwords to remember.
++# The default is 10.
++# remember = 10
++#
++# Number of times to prompt for the password.
++# The default is 1.
++# retry = 1
++#
++# The directory where the last passwords are kept.
++# The default is /etc/security/opasswd.
++# file = /etc/security/opasswd
diff --git a/pam.spec b/pam.spec
index 4f3e4e4..20bd5f4 100644
--- a/pam.spec
+++ b/pam.spec
@@ -4,7 +4,7 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.5.2
-Release: 12%{?dist}
+Release: 13%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -25,6 +25,7 @@ Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Patch1: pam-1.5.0-redhat-modules.patch
Patch2: pam-1.5.0-noflex.patch
Patch3: pam-1.3.0-unix-nomsg.patch
+Patch4: pam-1.5.2-pwhistory-config.patch
%{load:%{SOURCE3}}
@@ -118,6 +119,7 @@ cp %{SOURCE18} .
%patch1 -p1 -b .redhat-modules
%patch2 -p1 -b .noflex
%patch3 -p1 -b .nomsg
+%patch4 -p1 -b .pwhistory-config
autoreconf -i
@@ -324,6 +326,7 @@ done
%dir %{_pam_secconfdir}/namespace.d
%attr(755,root,root) %config(noreplace) %{_pam_secconfdir}/namespace.init
%config(noreplace) %{_pam_secconfdir}/pam_env.conf
+%config(noreplace) %{_pam_secconfdir}/pwhistory.conf
%config(noreplace) %{_pam_secconfdir}/time.conf
%config(noreplace) %{_pam_secconfdir}/opasswd
%dir %{_pam_secconfdir}/console.apps
@@ -359,6 +362,9 @@ done
%{_pam_libdir}/libpam_misc.so.%{so_ver}*
%changelog
+* Mon Jul 18 2022 Iker Pedrosa - 1.5.2-13
+- pam_pwhistory: load config from file
+
* Sun Feb 27 2022 Zbigniew Jędrzejewski-Szmek - 1.5.2-12
- Add Conflicts for pam version before the split